Router LEDs Allow Data Theft From Air-Gapped Computers

The status LEDs present on networking equipment such as routers and switches can be abused to exfiltrate sensitive data from air-gapped systems at relatively high bit rates, researchers have demonstrated.

A paper published this week by the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel shows how data can be transferred from an air-gapped computer by modulating it using the blinking of a router’s LEDs.

The attack can be carried out either by planting malicious firmware on the targeted router or remotely using a software exploit. The firmware attack may be more difficult to carry out as the router needs to be infected either via the supply chain or social engineering, but the software attack could be easier to conduct given that many devices are affected by remotely exploitable vulnerabilities.

Once the targeted router or switch has been compromised, the attacker can take control of how the LEDs blink. Then, using various data modulation methods, each LED or a combination of LEDs can be used to transmit data to a receiver, which can be a camera or a light sensor.

For example, a “0” bit is transmitted if an LED is off for a specified duration, and a “1” bit is sent if the LED is on for a specified duration. Logical “0” or “1” bits can also be modulated through changes in frequency. In the case of devices that have multiple LEDs, the attacker can use the blinking lights to represent a series of bits, which results in a higher transfer rate.

According to researchers, the method can be used to exfiltrate data at a rate of up to 1,000 bits per second per LED, which is more than enough for stealing passwords and encryption keys. On a networking device with seven LEDs, experts managed to obtain a transfer rate of 10,000 bits per second, or roughly 1 kilobyte per second.

However, the transfer rate also depends on the receiver. For example, if an entry-level DSLR camera is used to capture video of the blinking LEDs, the maximum bit rate that can be achieved at 60 frames per second is 15 bits per second for each LED. The attacker could also use a smartphone camera and obtain a transfer rate of up to 60 bits per second.

The most efficient camera is a GoPro Hero5, which can record at up to 240 frames per second, resulting in a maximum bit rate of up to 120 bits per second for each LED. On the other hand, the best transfer rate can be achieved using a light sensor as the receiver.

In the past years, researchers at the Ben-Gurion University of the Negev have identified several methods that can be used to exfiltrate data from air-gapped systems, including via scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.